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SUMMARY 

A.  SAFETY  PROGRAM.  The  system  safety  program  for  the  MK  1  MOD  0  LSO  HUD 
Console  System  consists  of  the  following  elements: 

1.  Hazards/failure  modes  and  effects  analysis  to  identify  personnel 
hazards  and  equipment  failure  modes. 

2.  Safety  testing  and  verification  to  evaluate  and  compare  analysis 
results  with  operational  hardware. 

3.  Corrective  actions  implemented  and  planned  for  implementation  to  elim¬ 
inate  or  control  the  more  severe  hazards. 

B.  RESULT5  AND  RECOMMENDATIONS 


1.  Appendix  A  summarizes  the  more  severe  hazards  identified  by  analysis 
and  lists  planned  corrective  actions  where  appropriate. 

2.  Implementation  of  planned  corrective  actions  will  provide  reasonable 
assurance  that  the  LSO  HUD  Console  System  will  be  operated  and  maintained  in 
safety. 


3.  Completion  of  the  safety  test  and  verification  phase  for  the  Hydraulic 
Lifting  Unit  Subsystem  will  provide  the  final  assurance  that  overall  safety  re 
quirements  have  been  met. 
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I.  INTRODUCTION 

A.  GENERAL:  This  report  documents  the  System  Safety  Program  as  it  applies 
to  the  MK1  MOD  0  LSO  (Landing  Signal  Officer)  HUD  (Heads-Up-Display)  Console 
System.  The  safety  program  is  in  general  accordance  with  MIL-STD-882A 
(reference  (a))  and  the  Safety  Engineering  Plan  for  the  LSO  HUD  Console  System 
(reference  (b)). 

B.  ACCOMPLISHMENTS:  Safety  program  accomplishments  include: 

1.  H/FMEA  (Hazards/Failure  Modes  and  Effects  Analysis)  on  the  entire  LSO 
HUD  Console  System  (reference  (c)). 

2.  Safety  testing  and  verification  of  the  display  subsystem  at  the 
Pacific  Missile  Test  Center. 

3.  Limited  safety  verification  of  the  Hydraulic  Lifting  Unit  Subsystem 
at  the  Naval  Air  Engineering  Center. 

4.  Implementation  of  corrective  actions  to  eliminate  or  control  several 
hazards  identified  in  the  H/FMEA. 

5.  Planned  corrective  actions  to  eliminate  or  control  the  remaining 
verified  Category  I  and  II  hazards  identified  in  the  H/FMEA. 

C.  PRINCIPLE  AGENTS:  The  principle  agents  involved  with  administering  the 
LSO  HUD  Console  System  Safety  Program  are: 

1.  NAVAIRSYSCOM  (Naval  Air  Systems  Command):  Acquisition  Management, 

Code  5512D. 

2.  NAVAIRENGCEN  (Naval  Air  Engineering  Center): 

a.  Program  Management,  Code  91118 

b.  System  Design  Cognizance,  Code  91132 

c.  Safety  Coordination,  Code  91133 

d.  Safety  Test  and  Evaluation,  Code  94 


Ref: (a)  MIL-STD-882A;  System  Safety  Program  Requirements,  28  June  1977 

(b)  NAVAIRENGCEN-ENG-7932;  Safety  Engineering  Plan,  Landing  Signal 
Officer  (LSO)  Heads-Up-Display  (HUD)  Console  MK1  MOD  0, 

28  March  1977 

(c)  NAVAIRENGCEN  Report  NAEC  91-7958;  Hazards/Failure  Modes  and 
Effects  Analysis,  MK  1  MOD  0  LSO  HUD  Console  System,  24  March  1980 
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3.  PACMISTESTCEN  (Pacific  Missile  Test  Center):  Display  Subsystem  final 
development  and  safety  test  and  evaluation  Code  1170. 

4.  Ketron,  Inc,  Wayne  Pennsylvania:  Hazards/failure  modes  and  effects 
analysis. 
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II.  SYSTEM  DESCRIPTION 

A.  The  LSO  HUD  Console  System  is  located  at  the  LSO' s  (Landing  Signal  Officer) 
Work  Station  on  the  aircraft  carrier. 

B.  The  mission  of  the  LSO  Work  Station  Facility  is  to  serve  as  a  focal  point 
for  recovery  information  display  and  communications  required  for  flight-path 
guidance  control  coordination  between  the  LSO  and  pilot  of  the  landing  air¬ 
craft.  The  MK  1  MOD  0  LSO  HUD  Console  System  has  been  developed  as  part  of 

an  effort  to  increase  the  accessibility  and  visibility  of  information  displays 
and  communications  facilities  in  the  LSO  Work  Station  to  permit  more  rapid 
perception  and  response  by  the  LSO  to  flight-path  deviations  under  all  weather 
conditions  to  improve  the  safety  of  recovery  operations. 

C.  The  LSO  HUD  Console  System  consists  of  a  Display  Subsystem  and  a  Hydraulic 
Lifting  Unit  Subsystem. 

1.  The  Display  Subsystem  receives  data  signals  from  various  existing 
shipboard  systems  for  processing  and  display  in  the  LSO  HUD  Console.  Cali¬ 
bration,  testing,  and  troubleshooting  of  display  circuits  is  facilitated  with 
a  piece  of  portable  special  purpose  test  equipment.  Those  systems  providing 
inputs  to  the  HUD  console  include: 

a.  SPN-42  Radar  (Automatic  Carrier  Landing  System) 

b.  SPN-44  Radar 

c.  ILARTS  (Integrated  Launch  and  Recovery  Television  Surveillance)  or 
PLAT  (Pilot  Landing  Aid  Television)  System 

d.  FLOLS  (Tresnel  Lens  Optical  Landing  System)/Arresting  Gear  Cross- 
Check  System 

e.  Landing  Area  Status  System 

f.  Ship's  Wind  Measuring  System 

g.  Ship's  21MC  Intercom  System 

h.  MOVLAS  (Manually-Operated  Visual  Landing  Aid  System)  MK  1,  MOD  2 

i.  FLOLS  MK  6  MOD  3  or  MK  6  MOD  2  with  Trim/Harmonization  Computer 

j.  FLOLS  Wave-Off  Subsystem 

2.  The  Hydraulic  Lifting  Unit  Subsystem  provides  a  means  for  raising  the 
HUD  Console  to  an  adjustable  height  to  accomodate  viewing  by  an  LSO  standing 
on  the  LSO  Platform.  It  also  provides  for  lowering  the  HUD  Console  to  an 
unobstructing  level  below  the  flight  deck  into  a  storage  enclosure.  Raising 
and  lowering  control  is  accomplished  within  the  LSO  Work  Station,  and  control 
circuit  interlocks  guard  against  retracting  the  Console  when  it  is  misaligned 
with  its  storage  enclosure  or  raising  the  Console  when  the  storage  enclosure 
lid  is  down. 
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III.  SAFETY  ANALYSIS 

A.  GENERAL:  The  H/FMEA  of  the  LSO  HUD  Console  System  (see  reference  (c))  was 
performed  by  Ketron,  Inc.  to  identify  personnel  hazards  and  singlepoint  fail¬ 
ure  modes  that  could  result  in: 

1.  Personnel  injury  or  death; 

2.  Equipment  damage  or  loss; 

3.  System  mission  impairment  or  loss. 

Design  improvement  recommendations  were  made  to  prevent  or  greatly  reduce  the 
likelihood  of  the  above  undesirable  events. 

B.  ANALYSIS  FORMAT:  Format  for  the  H/FMEA  is  shown  in  Figure  1.  Hazard 
level  and  probability  classification  are  listed  at  the  bottom  of  Figure  1. 
Hazard  level  is  further  defined  as  follows: 

1.  Category  I  -  Catastrophic:  Will  cause  death  or  severe  injury  to  per¬ 
sonnel  or  system  loss. 

2.  Category  II  -  Critical:  Will  cause  personnel  injury  or  major  system 
damage,  or  will  require  immediate  corrective  action  for  personnel  or  system 
survival. 

3.  Category  III  -  Marginal:  Can  be  counteracted  or  controlled  without 
injury  to  personnel  or  major  system  change. 

4.  Category  IV  -  Negligible:  Will  not  result  in  personnel  injury  or  sys¬ 
tem  damage. 

C.  ANALYSIS  SUMMARY  AND  HAZARD  LEVEL  REASSIGNMENT 


1.  The  H/FMEA  has  been  reviewed  for  accuracy  and  validity  by  both  the 
Naval  Air  Engineering  Center  and  the  Pacific  Missile  Test  Center,  Point 
Mugu,  California.  The  hazards  identified  as  Category  I  or  II  in  the  H/FMEA 
have  been  summarized  and  evaluated  in  terms  of  corrective  action  in 
Appendix  A  of  this  report.  Appendix  A  contains: 

a.  Failure  modes,  hazards  and  their  effects  (Category  I  and  II  only). 

b.  Design  changes  and  compensating  provisions  which  have  been  incor¬ 
porated  in  the  LSO  HUD  Console  System  as  a  result  of  the  analysis. 

c.  Proposed  design  changes  and  compensating  provisions. 

d.  Rationale  for  taking  no  action,  where  appropriate. 

2.  In  some  areas  the  H/FMEA  has  been  found  inaccurate  and  in  need  of 
hazard  level  reassignment: 

a.  The  primary  function  of  the  LSO-HUD  Console  System  is  the  enhance¬ 
ment  of  signals  and  cues  already  available  to  the  LSO.  Therefore,  the  failure 
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of  part  or  all  of  the  system,  barring  major  system  damage,  should  not  be  con¬ 
strued  as  hazard  Category  I  or  II. 

b.  Where  hazard  Category  I  or  II  has  been  incorrectly  assigned, 
for  the  above  or  other  reasons,,  Appendix,  A  documents  a  reassignment  of  hazard 
level. 
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IV.  SAFETY  TESTING  AND  VERIFICATION 

A.  GENERAL:  Safety  testing  and  verification  is  a  process  of  evaluating  and 
comparing  analysis  results  with  the  actual  operational  equipment. 

1.  Testing  and  verification  was  accomplished  on  the  Display  Subsystem 
equipment  at  the  PACMISTESTCEN. 

2.  Limited  verification  of  the  Hydraulic  Lifting  Unit  Subsystem  was 
accomplished  at  the  NAVAIRTESTCEN .  Further  verification  of  H/FMEA  data, 
including  safety  testing,  as  necessary,  will  be  performed  by  the  NAVAIRENGCEN 
Test  Department  (Code  94)  at  the  conclusion  of  environmental  tests  under  way 
at  this  writing. 

B.  TESTING 


1.  Testing  at  PACMISTESTCEN  involved  the  application  of  overvoltage  to 
the  various  signal  inputs  in  the  Display  Console  to  determine  susceptibility 
to  power  supply  transients  from  the  test  simulator  assembly. 


2. 

inputs 

A  voltage  of  140  VAC  at  60  Hz  was  applied  to  the  following  display 
for  a  minimum  of  5  seconds.  No  damage  occurred: 

a. 

Range 

b. 

Ramp  Motion 

c. 

Trim 

d. 

Rate  of  Descent 

e. 

SPN-42  TAS 

f. 

SPN-42  CLSG 

g- 

SPN-42  ALT  Error 

h. 

SPN-42  LAT  Error 

i. 

ACLS  Aircraft  Type  (22  inputs) 

3. 

The 

following  display  inputs  were  not  subjected  to  the  overvoltage 

test  due  to  high  probability  of  damage: 

a.  MOVLAS  (23  inputs)  -  6  volts  maximum 

b.  ACLS  Mode  (3  inputs)  -  32  volts  maximum 

c.  ACLS  Lock-ON  -  32  volts  maximum 

d.  ACLS  Wave-Off  -  32  volts  maximum 

e.  LSO  Wave-Off  -  32  volts  maximum 

11 


NAEC-91-7983 


C.  VERIFICATION 

1.  Display  Subsystem  hardware  (display  console  and  auxiliary  electronics 
box)  was  examined  at  PACMISTESTCEN  with  respect  to  the  hazards  and  failure 
modes  listed  in  the  H/FMEA  performed  by  Ketron,  Inc.  The  more  serious  hazards 
were  evaluated  in  terms  of  severity,  probability,  and  recommended  corrective 
action  by  direct  comparison  with  operational  equipment.  PACMISTESTCEN  com¬ 
ments  have  been  incorporated  along  with  NAVAIRENGCEN  comments  in  the  hazard 
level  I  and  II  summary  of  Appendix  A. 

2.  Safety  verification  of  the  NAVAIRENGCEN  designed  Hydraulic  Lifting  Unit 
Subsystem  was  limited  to  a  technical  evaluation  of  H/FMEA  results,  since 
operational  hardware  was  not  yet  available.  (Hardware  safety  verification 
will  be  conducted  by  the  NAVAIRENGCEN  Test  Department.)  As  with  the  Display 
Subsystem,  the  more  serious  hazards  listed  in  the  H/FMEA  were  evaluated  in 
terms  of  severity,  probability,  and  recommended  corrective  action.  The  evalu¬ 
ation  was  performed  by  NAVAIRENGCEN  design  and  safety  personnel.  Their  com¬ 
ments  and  conclusions  for  each  Category  I  and  II  hazard  are  incorporated  in 
Appendix  A. 
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V.  SAFETY  PROGRAM  RESULTS 


A.  H/FMEA  RESULTS 


1.  All  Category  I  and  II  hazards/failure  modes  identified  in  the  H/FMEA 
have  been  resolved  as  delineated  in  Appendix  A.  In  general,  the  hazards/ 
failure  modes  may  be  grouped  as  follows: 

a.  Twenty  of  the  29  hazards/failure  modes  have  been  reassigned  a  less 
severe  rating  of  III  or  IV.  The  most  common  reason  for  reassignment  was  the 
fact  that  Category  I  and  II  was  incorrectly  assigned  to  system  functional 
losses.  Since  the  LSO  HUD  Console  System  functions  as  an  aid  to  aircraft 
recovery,  such  losses  do  not  in  themselves  cause  personnel  injury  or  major 
system  damaage.  Therefore,  Category  I  and  II  does  not  apply,  and  reassignment 
is  required. 

b.  Three  of  the  29  hazards/failure  modes  (Items  9,  12,  and  23  of 
Appendix  A)  will  be  eliminated  or  controlled  by  planned  corrective  actions. 

c.  Three  of  29  hazards/failure  modes  (Items  5,  11,  and  29  of  Appen¬ 
dix  A)  are  considered  very  unlikely  with  low  overall  risk.  Corrective  action 
is  not  warranted. 

d.  Three  of  the  29  hazards/failure  modes  (Items  13,  15,  and  16  of 
Appendix  A)  are  not  considered  legitimate  hazards.  No  corrective  action  is 
required. 

2.  Corrective  action  lias  been  taken  in  the  following  areas: 

a.  Overvoltage  protection  is  now  specified  for  the  DC  power  supplies 
in  the  auxiliary  electronic  box.  (Appendix  A,  Item  8.) 

b.  Hydraulic  filter  has  been  changed  to  reduce  the  probability  of 
hydraulic  pump  damage.  (Appendix  A,  Item  13.) 

c.  Quality  acceptance  testing  has  been  changed  for  the  relays  in  the 
signal  junction  box  and  the  synchro  junction  box  to  provide  compatability  with 
the  low  current  application.  (Appendix  A,  Items  19  and  20.) 

B.  SAFETY  TESTING  ANC  VERIFICATION  RESULTS 


1.  The  application  of  overvoltage  to  the  display  console  verified  that 
most  display  inputs  can  withstand  the  effects  of  transformer  shorts  in  the 
test  simulator  power  supplies.  Further  protection  for  overvoltage  may  be 
mission  desirable  but  is  not  required  from  the  standpoint  of  safety. 

2.  Safety  verification  comments  relative  to  both  the  Display  Subsystem 
and  the  Hydraulic  Lifting  Unit  Subsystem  are  incorporated  in  the  Appendix  A 
hazards/failure  modes  summary. 

\ 

3.  Results  of  formal  safety  test  and  verification  of  the  Hydraulic  Lift¬ 
ing  Unit  Subsystem  will  be  documented  in  the  form  of  a  test  report  upon  com¬ 
pletion  of  the  NAVAIRENGCEN  (Code  94)  test  program. 
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VI.  SAFETY  PROGRAM  CONCLUSIONS  AND  RECOMMENDATIONS 

A.  For  the  most  part,  the  MK  1  MOD  0  LSO  HUD  Console  System  has  been  found 
well  designed  with  appropriately  applied  redundancies  and  fail-safe  princi¬ 
ples. 

B.  The  corrective  actions  accomplished  and  planned  as  a  result  of  this  safe¬ 
ty  program  give  reasonable  assurance  that  the  MK  1  MOD  0  LSO  HUD  Console  Sys¬ 
tem  will  be  operated  and  maintained  in  safety. 

C.  It  is  recommended  that  the  planned  action  identified  in  Appendix  A  be 
implemented: 

1.  In  the  technical  manual  maintenance  procedures,  direct  that  removal 
of  the  PLAT  cathode-ray  tube  take  place  in  a  protected,  shop  area.  Also, 
advise  caution  in  handling  the  tube.  (Appendix  A,  Item  1.) 

2.  In  technical  manual  operating  procedures,  advise  caution  with  respect 
to  lowering  the  HUD  Console  when  askew.  Ensure  planned  maintenance  system 
cards  include  a  daily  check  of  HUD  askew  limit  switch  operation.  (Appen¬ 
dix  A,  Item  12.) 

3.  In  technical  manual  maintenance  procedures,  caution  personnel  to  en¬ 
sure  electrical  power  is  off  before  performing  maintenance  on  the  MOVLAS-HUD 
Interface  Box.  (Appendix  A,  Item  23.) 

4.  In  drawing  package,  add  fillets  to  rod  head  weldments.  (Appendix  A, 
Item  9. ) 

It  is  also  recommended  that  the  safety  test  and  verification  phase  be  com 
pleted  for  the  Hydraulic  Lifting  Unit  Subsystem,  and  the  resulting  recommen¬ 
dations  be  implemented. 
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APPENDIX  A 


LOS  HUD  Console  System  H/FMEA 
(Ref:  NAEC-91-7958): 
Hazard  Category  I  and  II  Summary 
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to  drawings  to  affect 
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